In ASP programming, identity authentication can be said to be used. But how can I do certification security? Example: Form Submit Page: Sub.htm
Administrator: password: p> form> body> html>
Sub.asp program <% received data user = request.from ("userid") The data submitted by the checklist is empty (the form page may be controlled with JavaScript or Vbscript, but not forget the control here! IF user = "" THEN Go to the error prompt page! Response.Redirect "err1.htm" This sentence may be useless, but with good! Response.end end if pass = request.from ("pass") if pass = "" Then Response.Redirect "Err2.htm" response.end endiff connection database file = server.mappath ("Your Database) SET CONN = Server.createObject (" AdoDb.Connection ") DR =" Driver = {Microsoft Access Driver (* .mdb)}; DBQ = "& file conn.open dr set = server.createObject (" adodb.recordset ") The key is the SQL language SQL =" SELECT * FROM table where user = "& user &" and pass = "& Pass &" "RS.Open SQL if Not rs.eof dam found, enter the management page reponse.Redirect" login.asp "ELSE did not find it to enter the error page response.write" Err3.htm "End IF%> everyone feels above The code should have no problem, but there is a serious security risks: I want to enter the administrator if I want to log in to the administrator, enter: A or 1 = 1 or OR = III Enter: a or 1 = 1 or OR = Submit, everyone will see ... "Hey, listen to me is good, bricks will be lost again ..." "A" and "1 "Some people who will ask for any character will enter these characters to enter the administrator. What these characters are deceived for SQL language in your program, and everyone who successfully enters: Start program SQL is a table Records for USER = "& User &" and pass = "& pass" "condition SQL =" SELECT * FROM table where User = "& user &" and pass = "& pass" "I entered the code above the code: SQL =" SELECT * FROM table where user = a or 1 = 1 and pass = a or 1 = 1 "everyone to see Can you have a reason not to enter? ? Give me a reason that doesn't enter, first! The above User Pass field is the same as the character pattern!